def test_invalid_project_from_api_key_and_id(self): api_key = self.pm.public_key # invalid project_id with self.assertRaises(APIUnauthorized): project_from_api_key_and_id(api_key, 10000) # invalid api_key with self.assertRaises(APIUnauthorized): project_from_api_key_and_id(1, self.project.id)
def test_invalid_project_from_api_key_and_id(self): api_key = self.pm.public_key # invalid project_id with self.assertRaises(APIUnauthorized): project_from_api_key_and_id(api_key, 10000) # invalid api_key with self.assertRaises(APIUnauthorized): project_from_api_key_and_id(1, self.project.id)
def store(request): try: auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') else: server_version = request.GET.get('version', '1.0') if server_version not in ('1.0', '2.0'): raise APIError('Client/server version mismatch. Unsupported version: %r' % server_version) if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get('project_id') and request.is_secure(): # ssl requests dont have to have signature verification project = project_from_api_key_and_id(request.GET['api_key'], request.GET['project_id']) elif request.GET.get('project_id') and request.user.is_authenticated(): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) validate_data(project, data) insert_data_to_database(data) except APIError, error: return HttpResponse(error.msg, status=error.http_status)
def store(request): try: auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get( 'project_id') and request.is_secure(): # ssl requests dont have to have signature verification project = project_from_api_key_and_id(request.GET['api_key'], request.GET['project_id']) elif request.GET.get('project_id') and request.user.is_authenticated(): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) ensure_valid_project_id(project, data) insert_data_to_database(data) except APIError, error: return HttpResponse(error.msg, status=error.http_status)
def store(request): """ The primary endpoint for storing new events. This will validate the client's authentication and data, and if successfull pass on the payload to the internal database handler. Authentication works in three flavors: 1. Explicit signed requests These are implemented using the documented signed request protocol, and require an authentication header which is signed using with the project member's secret key. 2. Explicit trusted requests Generally used for communications with client-side platforms (such as JavaScript in the browser), they require the GET variables public_key and project_id, as well as an HTTP_REFERER to be set from a trusted domain. 3. Implicit trusted requests Used by the Sentry core, they are only available from same-domain requests and do not require any authentication information. They only require that the user be authenticated, and a project_id be sent in the GET variables. """ logger.debug('Inbound %r request from %r', request.method, request.META['REMOTE_ADDR']) client = '<unknown client>' try: if request.method == 'POST': auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') client = auth_vars.get('sentry_client') else: server_version = request.GET.get('version', '1.0') client = request.META.get('HTTP_USER_AGENT', request.GET.get('client')) if server_version not in ('1.0', '2.0'): raise APIError('Client/server version mismatch: Unsupported version: %r' % server_version) if server_version != '1.0' and not client: raise APIError('Client request error: Missing client version identifier.') referrer = request.META.get('HTTP_REFERER') if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get('project_id'): # public requests only need referrer validation for CSRF project = project_from_api_key_and_id(request.GET['api_key'], request.GET['project_id']) if not ProjectDomain.test(project, referrer): raise APIUnauthorized() elif request.GET.get('project_id') and request.user.is_authenticated() and \ is_same_domain(request.build_absolute_uri(), referrer): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data) except InvalidTimestamp: # Log the error, remove the timestamp, and revalidate error_logger.error('Client %r passed an invalid value for timestamp %r' % ( data['timestamp'], client or '<unknown client>', )) del data['timestamp'] validate_data(project, data) insert_data_to_database(data) except APIError, error: logging.error('Client %r raised API error: %s' % (client, error), exc_info=True) response = HttpResponse(unicode(error.msg), status=error.http_status)
def test_valid(self): api_key = self.pk.public_key project = project_from_api_key_and_id(api_key, self.project.id) self.assertEquals(project, self.project)
def test_valid(self): api_key = self.pk.public_key project = project_from_api_key_and_id(api_key, self.project.id) self.assertEquals(project, self.project)
def store(request): """ The primary endpoint for storing new events. This will validate the client's authentication and data, and if successfull pass on the payload to the internal database handler. Authentication works in three flavors: 1. Explicit signed requests These are implemented using the documented signed request protocol, and require an authentication header which is signed using with the project member's secret key. 2. Explicit trusted requests Generally used for communications with client-side platforms (such as JavaScript in the browser), they require the GET variables public_key and project_id, as well as an HTTP_REFERER to be set from a trusted domain. 3. Implicit trusted requests Used by the Sentry core, they are only available from same-domain requests and do not require any authentication information. They only require that the user be authenticated, and a project_id be sent in the GET variables. """ logger.debug('Inbound %r request from %r', request.method, request.META['REMOTE_ADDR']) client = '<unknown client>' try: if request.method == 'POST': auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') client = auth_vars.get('sentry_client') else: server_version = request.GET.get('version', '1.0') client = request.META.get('HTTP_USER_AGENT', request.GET.get('client')) if server_version not in ('1.0', '2.0'): raise APIError( 'Client/server version mismatch: Unsupported version: %r' % server_version) if server_version != '1.0' and not client: raise APIError( 'Client request error: Missing client version identifier.') referrer = request.META.get('HTTP_REFERER') if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get('project_id'): # public requests only need referrer validation for CSRF project = project_from_api_key_and_id( request.GET['api_key'], request.GET['project_id']) if not ProjectDomain.test(project, referrer): raise APIUnauthorized() elif request.GET.get('project_id') and request.user.is_authenticated() and \ is_same_domain(request.build_absolute_uri(), referrer): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(unicode(e)) insert_data_to_database(data) except APIError, error: logging.error('Client %r raised API error: %s' % (client, error), exc_info=True) response = HttpResponse(unicode(error.msg), status=error.http_status)